Dropbox Encryption vs. Google Drive Encryption: Which is More Secure?

Dropbox and Google Drive are very different services that appeal to different users. While Drive is connected to the entire Google Apps (now known as G Suite) ecosystem, Dropbox is a lightweight, simple alternative for file storage. While both are useful, users need to look beyond features, and make sure the service they choose can adequately protect their data. Here’s how Dropbox encryption and Google Drive encryption stack up.

Dropbox and Google Drive Encryption

To their credit, both Dropbox and Google Drive protect user files with encryption. Both also allow users to enable two-step verification, which requires an extra code texted to the user’s phone to access the account, making it harder for hackers to access a user’s data. Finally, both services use perfect forward secrecy, which prevents hackers from using old session keys to hack files stored in the cloud.

Dropbox encryption uses 256-bit AES keys to protect files at rest, and encrypts data in motion with 128-bit AES SSL/TLS encryption or better. Google Drive encryption is similar; files in motion are protected using 256-bit SSL/TLS encryption, while those at rest are encrypted with 128-bit AES keys.

Dropbox and Google Security Vulnerabilities

Both Google Drive encryption and Dropbox Encryption have faced security exploits and threats in the past. SSL/TLS encryption depends on individual servers to protect data as it travels between the user’s computer and the cloud. Therefore, it can be broken or weakened by a server that has been compromised by a hacker, or doesn’t support the latest version of encryption, potentially allowing a bad actor to steal your data or login information. Additionally, Google only uses 128-bit AES keys for stored data — good, but not quite as strong as it should be.

A recently-discovered security exploit called the man-in-the-cloud attack may allow hackers to bypass both Google Drive encryption and Dropbox Encryption. A skilled hacker could steal the user’s synchronization token — a code that identifies the user to the cloud service. The hacker would then be able to access the user’s account directly without even knowing their login credentials. They could then steal, delete or vandalize anything on the account.

One Dropbox vulnerability compromised tax returns, mortgage applications and other sensitive data. Dropbox allows users to create shareable links that are only supposed to be accessible to people with the URL. The link, however, would share the URL when users clicked away from the shared document in a browser, or put the link in a search box and clicked on an ad. Although Dropbox eventually fixed part of the vulnerability — discovered in November 2013 — users can still inadvertently give advertisers access to their data, and no upcoming fix has been announced.

Taking it a Step Further to Protect Cloud Security

The most stubborn security issues are caused by user behavior. Dropbox and Google Drive encryption automatically decrypt your files when you login to your account, so if a hacker is able to steal or guess your password, encryption won’t protect you.

You can mitigate this risk with strong passwords — phrases that are at least 12 characters long, and contain uppercase and lowercase letters, numbers and symbols. You should also enable perfect forward secrecy, and change your password at least once every 90 days.

You also need to take precautions, in case users do access your files. Even a hacker who couldn’t bypass your encryption might still be able to re-encrypt your stored files, holding them for ransom until you pay a fee. Protect against this threat by keeping backup copies of your files on another service in case your originals are vandalized. Additionally, you should regularly examine your files for unauthorized changes that could indicate a hacker.

Don’t Place All Your Faith in Any One Service

Cloud services like Dropbox and Google Drive take many steps to secure user content; however, hackers are also working hard to find and exploit new vulnerabilities. By adding an extra layer of third party client-side encryption, you can protect against the “what-ifs,” ensuring a cloud storage provider vulnerability won’t expose your files to the bad guys.